The "Raccoon" infostealer, first discovered in the wild earlier this year, is rapidly gaining popularity on underground forums due to its low cost and ability to steal a wide range of data, including credit card numbers and cryptocurrency wallets. Despite not being overly sophisticated or innovative, the malware (also known as Mohazo and Racealer) has already infected more than hundreds of thousands devices all over the world and currently is one of the 2019 Top 10 most mentioned malware on the underground forums, according to a new report from Cybereason.
While the "Raccoon" malware lacks sophistication and does not provide extensive capabilities, it has some perks, such as ease of use, several potential delivery methods, and the ability to steal a wide range of data, including credit card information, cryptocurrency wallets, browser data, and email credentials, Cybereason says.
Raccoon, which first was spotted in the wild in April, appears to have originated within Russian cybercriminal underground, but quickly spread to English-language forums, according to the analysis.
Distributed as a malware-as-a-service model, cybercriminals only need access to a Tor-hosted control panel to initiate attacks using Raccoon against whatever target they pick. Currently, the subscription is costing $200 per month, according to the researchers. The malware, written in C++, is delivered via multiple ways, typically, through Fallout and RIG exploit kits, phishing attacks leveraging malicious Office documents that hide macros to deliver and install Raccoon on different devices, and through bundled malware. Raccoon is able to work on both 32-bit and 64-bit operating systems. Once Raccoon is installed on an infected Windows device, it connects to a command-and-control server and begins to check location data. It searches system files for a range of confidential data which it saves and sends to its operator.
The Raccoon stealer checks the target machine’s local settings and compares it against a list of languages, including Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek. If the target machine’s local settings match one of these languages, the malware immediately aborts – a common practice for malware originating from CIS countries. Considering this clue and several other details, the researchers theoreticized that developers behind this malware are of Russian origin.
“Many in the community praise and endorse Raccoon’s malware capabilities and the services the team provides. Some voices in the community even endorse it as a worthy replacement for the famous Azorult stealer,” Cybereason says.
Although Raccoon is still under active development, researchers say that “its popularity, even with a limited feature set, signals the continuation of a growing trend of the commoditization of malware as they follow a MaaS model and evolve their efforts.”